How to manage SSL and TLS Protocols for ESXi SFCB Daemon
Article ID: 322207
Updated On:
Products
VMware vCenter Server
Issue/Introduction
ESXi provides Web Based Management (WBEM) services. The process sfcbd provides DMTF standard management CIM-XML protocol API for 3rd party applications. sfcbd opens a configurable TCP port to the network, the default port number is 5989.
This 5989 port uses Secure Sockets Layer (SSL) security. SSL contains a number of different protocols and ciphers to ensure secure/encrypted communication. The protocols SFCB in 6.0.x and 6.5.x supports are sslv3, tls1, tls1.1 and tls1.2. From time to time SSL protocols become weak and are judged to no longer provide acceptable secure communication.
Alternately 3rd party applications which haven't been updated will fail to connect due to configured SSL protocols.
Symptoms:
SSL vulnerability scan tools show SSL protocols that are not deemed safe by the operator on TCP port 5989 Operator finds their management software can not connect to sfcb. Errors from sfcbd in /var/log/syslog displays messages from the syslog identity "sfcb-CIMXML-Processor" such as:
p.p1 {margin: 0.0px 0.0px 0.0px 0.0px; font: 11.0px Menlo; color: #000000; background-color: #ffffff} span.s1 {font-variant-ligatures: no-common-ligatures} span.s2 {font-variant-ligatures: no-common-ligatures; color: #bfbfbf; background-color: #0000b3} span.s3 {font-variant-ligatures: no-common-ligatures; color: #afad24}
sfcb-CIMXML-Processor :SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
sfcb-CIMXML-Processor :SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
sfcb-CIMXML-Processor SSL Error 1: Code 336027900, String: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
sfcb-CIMXML-Processor : Error accepting SSL connection
sfcb-CIMXML-Processor :SSL routines:SSL3_GET_RECORD:wrong version number:s3_pkt.c:339:
sfcb-CIMXML-Processor :SSL routines:SSL3_GET_CLIENT_HELLO:wrong version number
sfcb-CIMXML-Processor SSL Error 1: Code 336027900, String: error:140760FC:SSL routines:SSL23_GET_CLIENT_HELLO:unknown protocol
Environment
VMware vCenter Server 6.5.x
VMware vCenter Server 6.0.x
VMware vCenter Server 6.0.x
Cause
When two applications connect over SSL, they must negotiate which SSL protocol and ciphers they will use.
SFCBD has a built in defaults. For 6.0 and 6.5 it support TLS1, TLS1.1 and TLS1.2. These protocols can be configured on/off and by doing so may limit which client applications can connect successfully if they do not support at least one of the protocols that SFCBD on ESXi offers.
Resolution
The ESXi configuration file /etc/sfcb/sfcb.cfg can contain the following configuration tokens which the value can be set to true or false. If no entries are present these are the defaults built into 6.0U3 and 6.5.x.
enableSSLv3: false
enableTLSv1: true
enableTLSv1_1: true
enableTLSv1_2: true
Once these entries are inserted into /etc/sfcb/sfcb.cfg and wbem services are restarted, the new configuration will take effect. For more information, see How to disable the CIM agent on the ESX/ESXi host (1025757).
Example configuration Small Footprint CIM Broker Daemon (SFCBD) - Port 5989 on 6.0U3
To configure TLS protocols:
enableSSLv3: false
enableTLSv1: true
enableTLSv1_1: true
enableTLSv1_2: true
Once these entries are inserted into /etc/sfcb/sfcb.cfg and wbem services are restarted, the new configuration will take effect. For more information, see How to disable the CIM agent on the ESX/ESXi host (1025757).
Example configuration Small Footprint CIM Broker Daemon (SFCBD) - Port 5989 on 6.0U3
To configure TLS protocols:
- Log in to ESXi using with an SSH session and root credentials.
- Run this command to to stop the sfcbd service and edit the config file using the VI editor
/etc/init.d/sfcbd-watchdog stop && vi /etc/sfcb/sfcb.cfg
- Change the values to enabled/disabled protocols by setting the protocols true or false:
For example:
enableTLSv1: true/false
enableTLSv1_1: true/false
enableTLSv1_2: true/false
- Save and exit file.
- Restart the SFCBD service for the configuration to take effect by running this command:
/etc/init.d/sfcbd-watchdog start
Example configuration oSmall Footprint CIM Broker Daemon (SFCBD) - Port 5989 on 6.5
To configure TLS protocols:
- Log in to ESXi using with an SSH session and root credentials.
- Run this command to edit the sfcb.cfg file:
esxcli system wbem set --enable 0 && vi /etc/sfcb/sfcb.cfg
- Change the values to enabled/disabled protocols by setting the protocols true or false:
For example:
enableTLSv1: true/false
enableTLSv1_1: true/false
enableTLSv1_2: true/false
- Save and exit file.
- Restart the SFCBD service for the configuration to take effect by running this command:
esxcli system wbem set --enable 1
Additional Information
The TLS Reconfiguration Utility does not manage SFCB settings in 6.x release.
Managing TLS protocol configuration for vSphere 6.5/6.7
Managing TLS protocol configuration for vSphere 6.0 Update 3
vSphere Client fails to connect to the vCenter Server or ESXi with TLSv1.0 disabled
Impact/Risks:
Allowing SSL protocols considered insecure is not recommended by VMware. SSLv3 previously was disabled by default in 6.0.x release.
Operators are encouraged to update their client applications to use the SSL protocols recommended by their IT/security.
Feedback
Yes
No
Powered by
